diff --git a/stable/artifactory/CHANGELOG.md b/stable/artifactory/CHANGELOG.md index cb4d78123..b9c4002e3 100644 --- a/stable/artifactory/CHANGELOG.md +++ b/stable/artifactory/CHANGELOG.md @@ -18,6 +18,7 @@ All changes to this chart will be documented in this file. * Updating the example link for downloading the DB driver * Added Binary Provider recommendations * Added `signedUrlExpirySeconds` option to artifactory.persistence.type of `google-storage`, `google-storage-v2`, and `google-storage-v2-direct` +* Support for SSL offload HTTPS proto override in Nginx service(ClusterIP) layer. Introduced `nginx.service.ssloffloadForceHttps` field with boolean type. ## [107.89.0] - June 7, 2024 * Fix the indentation of the commented-out sections in the values.yaml file @@ -40,7 +41,7 @@ All changes to this chart will be documented in this file. * Added support for `global.verisons.initContainers` to override `initContainers.image.tag` * Fixed an issue with extraSystemYaml merge * **IMPORTANT** -* Renamed `artifactory.setSecurityContext` to `artifactory.podSecurityContext` +* Renamed `artifactory.setSecurityContext` to `artifactory.podSecurityContext` * Renamed `artifactory.uid` to `artifactory.podSecurityContext.runAsUser` * Renamed `artifactory.gid` to `artifactory.podSecurityContext.runAsGroup` and `artifactory.podSecurityContext.fsGroup` * Renamed `artifactory.fsGroupChangePolicy` to `artifactory.podSecurityContext.fsGroupChangePolicy` @@ -164,7 +165,7 @@ All changes to this chart will be documented in this file. ## [107.58.0] - Mar 23, 2023 * Updated postgresql multi-arch tag version to `13.10.0-debian-11-r14` * Removed obselete remove-lost-found initContainer` -* Added env JF_SHARED_NODE_HAENABLED under frontend when running in the container split mode +* Added env JF_SHARED_NODE_HAENABLED under frontend when running in the container split mode ## [107.57.0] - Mar 02, 2023 * Updated initContainerImage and logger image to `ubi9/ubi-minimal:9.1.0.1793` @@ -382,7 +383,7 @@ All changes to this chart will be documented in this file. ## [12.0.0] - April 22, 2021 * **Breaking change:** -* Increased default postgresql persistence size to `200Gi` +* Increased default postgresql persistence size to `200Gi` * Update postgresql tag version to `13.2.0-debian-10-r55` * Update postgresql chart version to `10.3.18` in chart.yaml - [10.x Upgrade Notes](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1000) * If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! diff --git a/stable/artifactory/values.yaml b/stable/artifactory/values.yaml index 15f5de112..669769ca5 100644 --- a/stable/artifactory/values.yaml +++ b/stable/artifactory/values.yaml @@ -1464,6 +1464,131 @@ nginx: ## The nginx main conf was moved to files/nginx-main-conf.yaml. This key is commented out to keep support for the old configuration # mainConf: | + {{- if .Values.nginx.logs.stdout }} + access_log /dev/stdout timing; + {{- else -}} + access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing; + {{- end }} + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; + + } + artifactoryConf: | + {{- if .Values.nginx.https.enabled }} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt; + ssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key; + ssl_session_cache shared:SSL:1m; + ssl_prefer_server_ciphers on; + {{- end }} + ## server configuration + server { + {{- if .Values.nginx.internalPortHttps }} + {{- if .Values.nginx.singleStackIPv6Cluster }} + listen [::]:{{ .Values.nginx.internalPortHttps }} ssl; + {{- else -}} + listen {{ .Values.nginx.internalPortHttps }} ssl; + {{- end }} + {{- else -}} + {{- if .Values.nginx.https.enabled }} + {{- if .Values.nginx.singleStackIPv6Cluster }} + listen [::]:{{ .Values.nginx.https.internalPort }} ssl; + {{- else -}} + listen {{ .Values.nginx.https.internalPort }} ssl; + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.nginx.internalPortHttp }} + {{- if .Values.nginx.singleStackIPv6Cluster }} + listen [::]:{{ .Values.nginx.internalPortHttp }}; + {{- else -}} + listen {{ .Values.nginx.internalPortHttp }}; + {{- end }} + {{- else -}} + {{- if .Values.nginx.http.enabled }} + {{- if .Values.nginx.singleStackIPv6Cluster }} + listen [::]:{{ .Values.nginx.http.internalPort }}; + {{- else -}} + listen {{ .Values.nginx.http.internalPort }}; + {{- end }} + {{- end }} + {{- end }} + server_name ~(?.+)\.{{ include "artifactory.fullname" . }} {{ include "artifactory.fullname" . }} + {{- range .Values.ingress.hosts -}} + {{- if contains "." . -}} + {{ "" | indent 0 }} ~(?.+)\.{{ . }} + {{- end -}} + {{- end -}}; + + if ($http_x_forwarded_proto = '') { + set $http_x_forwarded_proto $scheme; + } + set $host_port {{ .Values.nginx.https.externalPort }}; + if ( $scheme = "http" ) { + set $host_port {{ .Values.nginx.http.externalPort }}; + } + ## Application specific logs + ## access_log /var/log/nginx/artifactory-access.log timing; + ## error_log /var/log/nginx/artifactory-error.log; + rewrite ^/artifactory/?$ / redirect; + if ( $repo != "" ) { + rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; + } + chunked_transfer_encoding on; + client_max_body_size 0; + + location / { + proxy_read_timeout 900; + proxy_pass_header Server; + proxy_cookie_path ~*^/.* /; + proxy_pass {{ include "artifactory.scheme" . }}://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalPort }}/; + {{- if .Values.nginx.service.ssloffload}} + {{- if .Values.nginx.service.ssloffloadForceHttps}} + proxy_set_header X-JFrog-Override-Base-Url https://$host; + proxy_set_header X-Forwarded-Proto https; + {{- else }} + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + {{- end }} + {{- else }} + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$host_port; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + {{- end }} + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + {{- if .Values.nginx.disableProxyBuffering}} + proxy_http_version 1.1; + proxy_request_buffering off; + proxy_buffering off; + {{- end }} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + location /artifactory/ { + if ( $request_uri ~ ^/artifactory/(.*)$ ) { + proxy_pass http://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; + } + proxy_pass http://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/; + } + location /pipelines/ { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + {{- if .Values.router.tlsEnabled }} + proxy_pass https://{{ include "artifactory.fullname" . }}:{{ .Values.router.internalPort }}; + {{- else }} + proxy_pass http://{{ include "artifactory.fullname" . }}:{{ .Values.router.internalPort }}; + {{- end }} + } + } + } ## The nginx artifactory conf was moved to files/nginx-artifactory-conf.yaml. This key is commented out to keep support for the old configuration # artifactoryConf: | customInitContainers: "" @@ -1478,6 +1603,8 @@ nginx: ## For minikube, set this to NodePort, elsewhere use LoadBalancer type: LoadBalancer ssloffload: false + ## @param service.ssloffloadForceHttps Override http_x_forwarded_proto flag for external ingress (optional, likely OpenShift specific for ClusterIP based nginx service config) + ssloffloadForceHttps: false ## @param service.ipFamilyPolicy Controller Service ipFamilyPolicy (optional, cloud specific) ## This can be either SingleStack, PreferDualStack or RequireDualStack ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services